Risk Management Structure

Risks associated to business operations are managed under oversight from the board of directors, within the responsibilities mandated to our division companies, Headquarters Management Committee (HMC) , and relevant committees.

ITOCHU has established internal committees and responsible departments in order to address the various risks associated with the Group's business operations, such as market risk, credit risk, country risk, and investment risk. At the same time, on a Group basis ITOCHU has developed the risk management systems and methods to manage various risks individually and on a companywide basis. Those include a range of management regulations, investment criteria, risk exposure limits, and transaction limits, as well as reporting and monitoring systems. Moreover, ITOCHU regularly reviews the effectiveness of its risk management systems and reports on results and findings to the board of directors.

At the Group level, ITOCHU's structural approach to risk management is overseen by the President and Chief Operating Officer (COO) and the Board of Directors and aims to ensure timely and sound executive decision making. The HMC, which is chaired by the President and COO and comprised of the Chairman and Chief Executive Officer (CEO) and other executives appointed by the President and COO, is the committee that sits at the highest level regarding our risk management system. Subsequent committees that report up to the HMC, also referred to as Principal Internal Committees, which include the Internal Control Committee, Disclosure Committee, ALM Committee, Compliance Committee, Sustainability Committee, Investment Consultative Committee, are responsible for identifying and addressing risks and incidents in their respective fields.

The Sustainability Committee, one of the Principal Internal Committees introduced above, is tasked to promote sustainability in the ITOCHU Group's company-wide risk management. The Committee manages operational ESG risks such as human rights risks, health and safety risks, climate risks, and natural disaster risks, as well as ESG risks related to investments. The Committee cooperates with other Committees as necessary and makes decisions on policies and initiatives to address ESG risks and operational improvements to further mainstream sustainability concerns in our risk management culture. Activities and findings are compiled by the Committee and reported to the Board of Directors annually.

At the individual Company level, each Company's President reports to the Division Company Management Committee (DMC), an advisory body to the Companies. The DMC deliberates on important issues such as those regarding investments, lending, assurance, and business management that have the potential to substantially impact the management of each company. If the risks identified or escalated exceed beyond the responsibilities mandated to the DMC, depending on the gravity of the risk and upon deliberation with other committees as necessary, risk issues may be escalated to the HMC and/or the Board of Directors.

ITOCHU is a company with Audit & Supervisory Board Members and endeavors to strengthen the monitoring/supervising function and ensure the transparency of decision making by having the Audit & Supervisory Board Members (including outside Audit & Supervisory Board Members) fully monitor corporate management. Auditors are therefore independent from the Committees within our risk management structure, including the HMC, but do attend Committees to perform their monitoring/supervising responsibilities. The executives chairing each respective Committee is also required to report to the HMC and/or the President and COO as necessary. The Audit Department directly under COO and other corporate staff departments oversee risks and our group-wide approach to managing risks as assigned within their mandated responsibility, and are also required to support the HMC and their subsequent Committees.

• Organization chart regarding the ITOCHU Group's corporate governance structure and internal controls system
• Overview of ITOCUH Group's main internal committees

With the business environment being filled with rapid changes and uncertainty, the ITOCHU Group recognizes the importance of predicting and preparing for various eventualities. As such, we create and analyze various risk scenarios regarding the various elements of the macroeconomic environment, such as political, legal, economic, socioeconomic, and technological factors, and consider relevant future impacts in our management planning.

Risk Management

Risk Capital Management

Risk Assets and Risk Buffer

Strict Management of Risk Assets

Our basic operational policy involves first calculating risk assets based on the maximum amount of possible future losses from all assets on the balance sheet including investments and all off-balance-sheet transactions. Second, we manage the amount of risk assets within the limits of our risk buffer (Total shareholders' equity + Non-controlling interests). As we promote investments that will lead to evolve existing business moving forward, we will work to maintain risk assets within the limits of our risk buffer, conduct strict risk management, and further strengthen our financial position.

Business Investment Management

Fundamental Approach

Along with strategic business alliances, business investment is an important means of creating new businesses. To actively promote strategic investments in areas of strength in a timely manner, we choose the optimal structure from a wide range of methods, such as establishing a wholly owned subsidiary, implementing joint investment with partners, and participating in management through M&As or converting to a consolidated subsidiary.
In principle, we hold investments continuously. After making each investment, we work to maximize the investee's corporate value and to expand trading profit and dividends received by fully utilizing our Groupwide capabilities. Given such considerations as larger-scale investments in recent years, we are rigorously screening the appropriateness of the business plan and acquisition price. For existing investments, to increase investment earnings and to exit quickly from low-efficiency assets, we are further strengthening monitoring procedures, centered on instituting more rigorous exit criteria and thoroughly implementing periodic investment review.

Decision-Making Process for New Investments

A multilayered decision-making process that achieves quick decision-making by giving a certain level of discretion to the Division Companies while striving to pursue investment return and curb investment risk.

Business Investment Process

Under "Brand-new Deal 2020," in addition to the conventional investment process, we have further strengthened the earnings base to make it more resilient to economic fluctuation by thoroughly verifying the appropriateness of business plans and focusing on the monitoring of sub-subsidiaries. Despite the challenging operating environment, in FYE 2020 profits/losses of Group companies reached a record high for the fourth consecutive year. Besides, amid the COVID-19 pandemic, the ratio of Group companies reporting profits remained high, at 88.6%.
Given the rapidly changing operating environment, we recognize that "prevent" efforts will be an even higher priority in FYE 2021 than in the past. By conducting careful and close monitoring, which is our forte as a company having strengths in the non-resource sector, we will strive to accurately ascertain risks unique to individual businesses. If we anticipate impairment concerns that could result from lower share prices or decreased earnings, we will act preemptively.

Number of Consolidated Subsidiaries and Share of Group Companies Reporting Profits

Security Risk Management

Policy and Basic Concept

The ITOCHU Group aims to reduce and avoid information and data security risks by taking a structured approach to ensure a high level of information security. The Information Security Policy is communicated to all of our executives and employees and serves as the overarching policy that guides our information management initiatives. We have also established the Information Management Code, which includes a code of conduct specific to information and data security to which our executives and employees must comply to. More specifically, rules and standards are strictly set regarding the management of personal information, documents, and IT security to prevent information leakage and breaches.

Structures and Systems

Name	Chairman	Objectives
IT Strategy Council	CDO・CIO	Deliberates regarding IT Strategy (Annual IT Strategic Plan, etc.)

Initiatives

At the ITOCHU Group, we have experienced a data breach incident in the past, where a malware caused confidential client information to be leaked externally. This incident became pivotal in our renewal and improvement of our efforts to prevent similar data breaches from happening ever again. Some of our cornerstone initiatives have been to expand and enhance our basic security infrastructure, renew the structure of our Cyber Security team (ITCCERT: ITOCHU Computer Emergency Readiness, Response & Recovery Team), and hiring expert advanced cybersecurity analysts/.
We routinely collect the latest information regarding potential cyber threats by analyzing system logs and malware and based on findings, implement preventative measures. Additionally, when incidents do occur, we respond instantly by investigating their causes, discussing possible countermeasures, and restoring services. In FYE 2018, we integrated the ITCCERT into our IT Planning Division to further enhance security countermeasures across the entire Group and build internal capacity around information security. We also provide training programs to develop technicians proficient in cyber security. There are few examples of user companies in Japan that are working as actively as we are to develop systems and respond to information security risk. Moving forward, we plan to maintain these initiatives and make enhancements where necessary to ensure sustainable growth that is free from cyber threats.

We periodically engage in the training programs listed below to maintain and improve our information security program.

• We give training to all employees on how to identify and respond to targeted e-mail attacks twice a year.
• All global employees including those in group companies are subject to a mandatory, simultaneous e-learning course on information security, which is held every three years.
• Several times a year, the ITCCERT leads an internal cyber security workshop for the ITOCHU Group companies.
• Policies regarding information security and the management of personal information are required to be communicated to employees upon hiring. If amendments or updates are made to these policies, all executives and employees receive a notification of the changes made. Employees are also updated on such amendments in their periodic e-learning trainings.

Cyber security is especially important to us given that our BCP is supplemented by IT solutions which have enabled us to maintain business operations during the COVID-19 pandemic. Such IT solutions include our adoption of thin clients in all of our internal computers, WEB-based teleconferencing systems, and cloud systems. We ensure that cyber security is monitored in these systems by requiring that all company-wide services and tools are subject to prior assessments.